Privacy Program Vocabulary

Question 1

What is accountability in the context of privacy laws?

Answer 1

The ability to demonstrate that technical and organisational measures for personal data handling have been implemented and comply with relevant laws, such as GDPR and APEC’s Cross Border Privacy Rules. It is a foundational principle of fair information practices.

Question 2

What are active scanning tools, and what are they used for?

Answer 2

Tools like Data Loss Prevention (DLP) systems and privacy tools that identify security and privacy risks to personal information. They can monitor compliance and block unauthorised transfers based on data categories.

Question 3

What is anonymization, and what are the three primary techniques?

Answer 3

A process where identifiable data is altered so it cannot be linked back to an individual. Techniques include:
Suppression: Removing identifying values.
Generalization: Broadening specific data (e.g., age 18 → 18-24).
Noise Addition: Mixing identifying values within a dataset.

Question 4

What are the APEC Privacy Principles?

Answer 4

Non-binding principles adopted by the Asia-Pacific Economic Cooperative, mirroring OECD Fair Information Privacy Practices. They aim to balance information privacy with business needs to promote electronic commerce in the Asia-Pacific region.

Question 5

What is behavioural advertising, and what does GDPR require regarding it?

Answer 5

Advertising targeted at individuals based on observed behaviour, often through automated data processing or profiling. GDPR requires users to be informed of processing logic, consequences, and allows opt-out options.

Question 6

What are Binding Corporate Rules, and what do they enable?

Answer 6

BCRs are safeguards under GDPR that allow cross-border transfers of personal data within a corporate group. They ensure consistent, high-level data protection and require approval by a data protection authority.

Question 7

What is a Business Continuity and Disaster Recovery Plan?

Answer 7

A risk mitigation plan ensuring that critical business functions continue during a crisis. It covers recovery actions for events like natural disasters or cyberattacks.

Question 8

What is the purpose of COPPA?

Answer 8

Children’s Online Privacy Protection Act (COPPA) is a U.S. law requiring websites directed at children under 13 to post privacy notices, obtain parental consent for data collection, and allow parents to manage their child’s data.

Question 9

What does “consent” mean under GDPR?

Answer 9

Individuals must actively agree to data collection and processing, which can be explicit (opt-in) or implied. Consent must be freely given, informed, and revocable.

Question 10

What does the Data Minimisation Principle advocate?

Answer 10

Only collect and retain the personal data necessary for the specific purpose.

Question 11

When is a Data Protection Impact Assessment required under GDPR?

Answer 11

When processing activities are likely to result in high risks to individual rights, such as introducing new systems or significant changes to data use.

Question 12

What is Privacy by Design?

Answer 12

A framework ensuring privacy is integrated into system and process design from the outset, following principles like minimal data collection and robust security.

Question 13

Who is a Data Controller?

Answer 13

An entity or individual that determines the purposes and means of processing personal data.

Question 14

What constitutes a data breach?

Answer 14

The unauthorised acquisition of data that compromises its confidentiality, integrity, or security.

Question 15

What are the components of the Information Security Triad?

Answer 15

Confidentiality, Integrity, and Availability (CIA).

Question 16

What is a data inventory?

Answer 16

A record of personal data as it moves across systems, identifying its location, categorisation, and any inconsistencies to enable better management and compliance.

Question 17

What is Data Life Cycle Management?

Answer 17

A policy-based approach to managing data from creation to final disposition, ensuring security, retrievability, and compliance across its life cycle.

Question 18

What is a Data Protection Authority under GDPR?

Answer 18

An independent public authority that supervises the application of data protection laws, provides advice, and enforces compliance, including imposing fines.

Question 19

What does the principle of individual participation entail?

Answer 19

Individuals have the right to access their data, request corrections, and challenge any denied requests.

Question 20

What is a gap analysis in privacy management?

Answer 20

A review of current privacy capabilities to identify and address gaps between existing measures and required standards or laws.

Question 21

What is jurisdiction in the context of privacy law?

Answer 21

The authority of a court or regulatory body to enforce laws over certain geographical areas, individuals, or subject matters.

Question 22

How are metrics used in privacy management?

Answer 22

Metrics evaluate the effectiveness of privacy programs by measuring progress, compliance, and outcomes through quantifiable data.

Question 23

What is pseudonymous data?

Answer 23

Data that is not directly linked to an individual but can be indirectly associated through identifiers like codes or IP addresses.

Question 25

What is purpose specification under GDPR?

Answer 25

The principle that personal data should be collected for specified, explicit, and legitimate purposes and not used in incompatible ways.

Question 26

What does the retention principle involve?

Answer 26

Retaining personal data only as long as necessary for the stated purpose and securely disposing of it when no longer needed.

Question 27

What is a Privacy Impact Assessment?

Answer 27

An analysis to evaluate privacy risks of data handling processes and identify ways to mitigate potential impacts.

Question 28

Who is a privacy champion?

Answer 28

An executive advocate for privacy who promotes privacy as a core organisational concept.

Question 29

What is a Privacy Threshold Analysis?

Answer 29

A preliminary tool used to determine whether a Privacy Impact Assessment (PIA) is required for a specific process or project.

Question 30

What is Protected Health Information?

Answer 30

Any identifiable health data held or processed by a HIPAA-covered entity related to health conditions, care, or payments.

Question 31

What are security safeguards?

Answer 31

Measures to protect personal data against risks like unauthorised access, loss, or modification.

Question 32

What is social engineering in cybersecurity?

Answer 32

A method attackers use to manipulate individuals into divulging sensitive information or compromising security.

Question 33

Who are stakeholders in a privacy program?

Answer 33

Executives or teams responsible for privacy activities within an organisation, such as legal, HR, IT, or compliance.

Question 34

What is vendor management in privacy compliance?

Answer 34

The assessment of third-party vendors for privacy and security practices, ensuring compliance with data protection laws.

Question 35

What is WebTrust?

Answer 35

A self-regulating seal program created by the AICPA and CICA for licensed certified public accountants to validate trust.

Question 36

What is the AICPA?

Answer 36

American Institute of Certified Public Accountants (AICPA). A U.S. professional organisation for certified public accountants, co-creator of the WebTrust seal program.

Question 37

What is the role of the CICA?

Answer 37

Canadian Institute of Chartered Accountants (CICA). The Canadian professional body responsible for setting standards, ethics, and education for chartered accountants.

Question 38

What are the main requirements of COPPA?

Answer 38

Children’s Online Privacy Protection Act (COPPA). Requires websites directed at children under 13 to: - Post a privacy notice. - Obtain parental consent before collecting data. - Allow parents to review, delete, or manage their child's data.

Question 39

What are the three principles of the CIA triad?

Answer 39

Confidentiality, Integrity, and Availability.

Question 40

What is the principle of collection limitation?

Answer 40

Personal data should only be collected by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject

Question 41

What is a consumer reporting agency?

Answer 41

An entity that compiles or evaluates personal information to furnish consumer reports to third parties for a fee.

Question 42

What does cyber liability insurance cover?

Answer 42

Insurance for breach-related expenses, including: - Forensic investigations. - Legal fees. - Breach notifications. - Crisis management services.

Question 43

What is direct marketing?

Answer 43

Marketing where the seller directly contacts an individual rather than using mass media like TV or radio.

Question 44

What is the Do Not Track initiative?

Answer 44

A proposed regulation allowing consumers to opt-out of web tracking, similar to the Do-Not-Call Registry.

Question 45

What does the ECPA protect?

Answer 45

Electronic Communications Privacy Act (ECPA) Protects wire, oral, and electronic communications during transmission and when stored electronically.

Question 46

What did the EU Data Protection Directive (95/46/EC) establish?

Answer 46

A framework for personal data protection in the EU, replaced by the GDPR in 2018.

Question 47

What is GAPP?

Answer 47

Generally Accepted Privacy Principles (GAPP). A framework developed by the AICPA and CICA with ten principles, including notice, choice, security, and accountability.

Question 48

What does the GLBA regulate?

Answer 48

Gramm-Leach-Bliley Act (GLBA) regulates financial institutions’ handling of non-public personal information, requiring notice, security, and opt-out options for data sharing.

Question 49

What is HIPAA’s primary purpose?

Answer 49

Health Insurance Portability and Accountability Act's (HIPAA) purpose is to create national standards for electronic healthcare transactions and protect patient health information

Question 50

What is hybrid governance in privacy?

Answer 50

A model combining centralised oversight with decentralised execution, often used by large organisations. Typically seen when a large organisation assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfil and support the policies and directives from the central governing body.

Question 51

What are information security practices?

Answer 51

Controls that reduce risks like data loss, unauthorised access, or modification.

Question 51

What are the stages of the information life cycle?

Answer 51

Collection, processing, use, disclosure, retention, and destruction.

Question 52

What constitutes negligence in privacy?

Answer 52

Failing to protect personal information, leading to harm or breach of legal duty

Question 53

What is non-public personal information under GLBA?

Answer 53

Personally identifiable financial information provided to or collected by financial institutions, excluding publicly available information.

Question 54

What is the principle of openness?

Answer 54

Organisations should maintain transparency about data collection, usage, and protection practices.

Question 55

What does opt-in mean?

Answer 55

A model where individuals actively agree to data collection or sharing.

Question 56

What does opt-out mean?

Answer 56

A model where data collection or sharing proceeds unless the individual actively declines.

Question 57

What is a privacy program framework?

Answer 57

A structured roadmap for implementing and managing an organisation’s privacy initiatives.

Question 58

What are privacy-enhancing technologies?

Answer 58

Tools designed to protect privacy, such as encryption, anonymisation, and the Platform for Privacy Preferences (P3P).

Question 59

What does the GDPR say about fully automated decisions?

Answer 59

Individuals can object to decisions made solely by automated processing, especially if it impacts their rights.

Question 60

What is social engineering in privacy and security?

Answer 60

Manipulating individuals into divulging confidential information or compromising security protocols.

Question 61

What is the Platform for Privacy Preferences (P3P)?

Answer 61

A machine-readable language that expresses a website’s data management practices to facilitate automated privacy decisions by users.

Question 62

What does the Privacy Maturity Model provide?

Answer 62

A standardised reference for assessing the maturity level of a privacy program.

Question 63

What are the phases of the privacy operational life cycle?

Answer 63

Assess, Protect, Sustain, and Respond—focused on refining and improving privacy management processes.

Question 64

When is a Privacy Threshold Analysis used?

Answer 64

To determine whether a Privacy Impact Assessment (PIA) is necessary for a particular process, project, or system.

Question 65

What is protected health information under HIPAA?

Answer 65

Any health data that identifies an individual and is created, used, or disclosed by a covered entity or business associate.

Question 66

What is a Qualified Protective Order in healthcare privacy?

Answer 66

A legal order that restricts the use and disclosure of protected health information during litigation.

Question 67

What is the Respond phase in the privacy operational life cycle?

Answer 67

A phase focused on handling information requests, legal compliance, and incident response to mitigate risks and ensure compliance.

Question 68

How is ROI applied in privacy programs?

Answer 68

It measures the financial value of privacy investments by evaluating their effectiveness in protecting assets and ensuring compliance.

Question 69

What does the retention principle in data management state?

Answer 69

Personal data should only be retained as long as necessary for its intended purpose and securely deleted afterward.

Question 70

What is the principle of security safeguards?

Answer 70

Personal data must be protected by reasonable security measures to prevent risks like unauthorised access, loss, or destruction.

Question 71

Who are stakeholders in a privacy program?

Answer 71

Individuals or departments responsible for privacy activities, such as legal, compliance, IT, and marketing teams.

Question 71

What is substitute notice in data breach laws?

Answer 71

An alternative notification method when notifying individuals directly is impractical, often involving email, website postings, or media announcements.

Question 72

What happens in the Sustain phase of the privacy operational life cycle?

Answer 72

Monitoring, auditing, and communicating privacy processes to maintain ongoing compliance and effectiveness.

Question 73

What is US-CERT’s role in cybersecurity?

Answer 73

A partnership between the U.S. Department of Homeland Security and private sectors to coordinate responses to internet security threats.

Question 74

What are the 14 competency areas of the US-CERT IT Security Essential Body of Knowledge?

Answer 74

Digital Security; Digital Forensics; Enterprise Continuity; Incident Management; IT Security and Training Awareness; IT Systems Operation and Maintenance; Network and Telecommunications Security; Personnel Security; Physical and Environmental Security; Procurement; Regulatory and Standards Compliance; Security Risk Management; Strategic Security Management; and System and Application Security.

Question 75

What is the purpose of vendor management in privacy?

Answer 75

To assess third-party vendors for compliance with privacy and security policies and reduce risks associated with outsourcing.

Question 76

What does video surveillance typically exclude?

Answer 76

Sound recording, focusing solely on visual monitoring.

Question 77

What are the five steps of the metrics life cycle?

Answer 77

Identify the audience, define data sources, select metrics, refine collection points, and analyse data for feedback and improvement.

Question 78

What is the purpose of the PCI Data Security Standard?

Answer 78

A self-regulatory framework ensuring the secure handling of payment card data.

Question 79

How does negligence relate to data privacy?

Answer 79

It occurs when an organisation fails to protect personal data, breaching a legal duty and causing harm.

Question 80

What are the five phases of the audit life cycle?

Answer 80

Audit Planning, Audit Preparation, Conducting the Audit, Reporting, and Follow-up.

Question 81

What is the purpose of a business case in privacy management?

Answer 81

It defines the organization’s privacy needs and aligns them with business goals, such as compliance and customer trust.

Question 82

What is a Business Continuity Plan?

Answer 82

A document outlining steps to maintain critical operations during crises, such as natural disasters or cyberattacks.

Question 83

What is decentralised governance?

Answer 83

A model that delegates privacy decision-making authority to lower organisational levels for flexibility and localised control.

Question 84

What are Fair Information Practices?

Answer 84

Principles like notice, choice, access, and accountability that form the foundation of many privacy laws and frameworks.

Question 85

What is generalisation in anonymisation?

Answer 85

A method that broadens specific data points (e.g., age 30 → age range 30–40) to reduce identifiability.

Question 86

What is Information Life Cycle Management?

Answer 86

A comprehensive framework for managing data from creation to destruction, emphasising security, retrievability, and compliance.

Question 87

What rights does the individual participation principle grant?

Answer 87

The right to access, verify, and request corrections to personal data held about them.

Question 88

Who are internal partners in privacy management?

Answer 88

Departments or teams, like HR or IT, that collaborate on privacy-related activities within an organisation.

Question 89

What is the role of NIST in privacy and security?

Answer 89

National Institute of Standards and Technology (NIST): To develop and issue standards and guidelines, including the NIST Privacy Framework and cybersecurity protocols.

Question 90

What is performance measurement in privacy management?

Answer 90

The process of defining and tracking metrics to evaluate the effectiveness of privacy processes and controls.

Question 91

How is personal data defined under GDPR?

Answer 91

Any information relating to an identified or identifiable natural person.

Question 92

What is PIPEDA?

Answer 92

Personal Information Protection and Electronic Documents Act (PIPEDA): Canada’s federal privacy law regulating private sector organisations to instil trust in electronic commerce and transactions.

Question 93

What are Privacy by Design’s seven foundational principles?

Answer 93

Proactive, preventative, privacy as default, embedded into design, end-to-end security, visibility and transparency, and user-centric

Question 94

What does a privacy program framework include?

Answer 94

Checklists, processes, and structure to guide organisations in managing privacy effectively.

Question 95

How does pseudonymous data differ from anonymised data?

Answer 95

Pseudonymous data can still be linked to an individual through indirect identifiers, whereas anonymised data cannot.

Question 96

What is the right to challenge under FIPs?

Answer 96

The individual’s ability to dispute inaccuracies in their data and request corrections.

Question 97

What does the transparency principle require?

Answer 97

Organisations must clearly communicate their data practices, including how data is collected, used, and shared.

Question 98

What is the WebTrust seal program?

Answer 98

A self-regulatory initiative by the AICPA and CICA to certify websites for trusted data practices.

Question 99

What is an incident response plan?

Answer 99

A structured approach for handling data breaches and other security incidents, focusing on minimising harm and restoring normal operations.